CVE-2023-27484 | Unchecked fieldpath index in Composition's patches can lead to arbitrary memory allocation in crossplane

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's `ToFieldPath`, which could lead to excessive memory usage once such Composition is selected for a Composite resource. Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, Crossplane will grow that slice up to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value. This issue has been addressed in versions 1.11.2, 1.10.3, and 1.9.2. Users are advised to upgrade. Users unable to upgrade can restrict write privileges on Compositions to only admin users as a workaround.

Published: 2023-03-09 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2023-27484 is rated Moderate Risk (41.7/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.68%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2023-27484

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.31% 0.68% +0.37%
2 2026-03-25 0.41% 0.31% -0.10%
3 2026-03-12 0.41%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-27484

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.2 3.1 MEDIUM
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.7 4.0 [email protected]
4.9 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.2 3.6 [email protected]

Weakness enumeration for CVE-2023-27484

GitHub Security Advisory for CVE-2023-27484

GHSA-v829-x6hh-cqfq · Severity: medium · Ecosystem: go — Crossplane-runtime contains Improper Input Validation via Compositions

Affected software / configurations for CVE-2023-27484

Vendor Product Version Raw CPE
crossplane crossplane >= 1.9.0, < 1.9.2 cpe:2.3:a:crossplane:crossplane:*:*:*:*:*:*:*:*
crossplane crossplane >= 1.10.0, < 1.10.3 cpe:2.3:a:crossplane:crossplane:*:*:*:*:*:*:*:*
crossplane crossplane >= 1.11.0, < 1.11.2 cpe:2.3:a:crossplane:crossplane:*:*:*:*:*:*:*:*

References for CVE-2023-27484

cvelogic Threat Intelligence